A scam that targets businesses posting help-wanted ads online has already fleeced one company of $150,000, according to an advisory from the FBI that warns other businesses to be wary. The emails, which are sent in response to ads placed on employment websites, contain attachments that when opened infect the user's PC with …
There is away to avoid this ...
I use InterNet banking and hold money in a 'savings' account, which has no other means of access, only transferring money to my 'banking' account, which has ATM access, only just before I make withdrawals.
The ability to set-up new transfer facilities to any other account have been disabled which means such attacks are minimised.
I can only set-up new accounts by way of a personal attendance at my bank branch.
Probably too extreme
Many companies find it necessary to send money to other companies in return for goods or services. That's what they call 'business as usual,' and it's mostly why bank transfers exist. Having $150K ready for such transfers would be a normal requirement for many businesses.
Why they would be doing this from a computer that is also used for reading e-mail from the great unwashed masses is a question worth asking though.
....but business needs suggest otherwise
All businesses (of which this is an example) need to pay people such as suppliers and staff. They have automated BACs systems which fire the money away from them. I don't think I would want to pop down to the bank to set up a payment for every new supplier etc.
However, you would have thought that the BACs system would be secure enough to not allow these things, and the company should check that the right payments are going out.
but most businesses use a hardware key tied to my bank. We are a smallish outfit with 30 staff, our bank gave us a card reader and card, we can only authorise computer transactions with the card in place. You then verify the transactions, put the card in and away it goes - you can see a list of transactions beforehand. (Technically the "bank" is a building society)
Never take offered or rounded amounts from ATM's
Most ATM scammers go for the maximum hit - I never take anything offered on the screen nor do I take, say $400, opting always for $390 which is easy to check off against a statement and help you prove any thefts using different amounts weren't made by you.
Read the small script
*we need your money
Another way to avoid.
I recently had a relative become slightly paranoid about online banking. After a few minutes of racking my brain, a linux 'Live CD' was the obvious choice.
Read only media, no system changes to existing setup, minimum of fuss. Boot from the CD, log into your bank, pay your bills etc, then just shut down. Whilst exploits will be known as the live CD ages , if you stick to just visiting the bank website, then your pretty safe...
I realise that might not be so usuful to businesses who need to access to other documents at the same time etc, but its was an elegant workaround in my eyes.
Actors. They can be malicious.
JaitcH's plan only works if your local bank branch hasn't been closed.
Anti-Virus and not clicking on online adverts would seem to be a plan.
Re: JaitcH's plan only works if your local bank branch hasn't been closed
My branch is seven time zones away from where I am presently, at other times it is 12 zones distant. Haven't been there for over seven years!
Thats one way to do things...or just completely disable all online EVERYTHING and only do things in person..maybe only accept payment requests cast in stone!.....Or there is another way to avoid this...don't be an idiot on the web maybe...but hey... that's just my idea :D
...recruitment consultants ;) They're busy robbing the rest of us all year round anyway, AC for obvious reasons...
Read the sonic wall dissection
If ANYONE even Jesus himself sent me an email application for a job in that format and wording I'd trash the email straight away.
Also if I owned the recruitment company, or my inhouse recruiter even attempted to look at the attachment, my hammer would be claiming overtime
I have figured you take comments.
I am quiet interested in it. So I send you my comment,
comment_26636363636363.zip (contains porn.exe)
that was my though exactly
If I ever got a covering email for a job application that bad, it'd get binned without even opening the "resume"
This would point to the bank's lack of online security. Operating bank accounts with just a username/password is asking for trouble.
My personal account requires as authententication two different inputs which are not predictable (or replicable) and my business account requires a unique token code generated for each login by an external device.
No use to keyloggers which, I guess, was used for this attack.
dear oh dear...
It appears the payload relies on said business opening an attachment that is a .exe file, hardly sophisticated..
While its disguised with a word icon, the file name is still clearly, MyResume.exe
Surely lesson 1 for everyone when they started using email (or in fact computer in general) is "DONT OPEN EXECUTABLE FILES FROM UNKNOWN SOURCES"
If people still get tricked by this then there is a problem with the training / education (proably none whatsoever) they have received on using PCs.
Also, up to date virus scanner.. yadda yadda
This has been a problem ever since Windows had the option to "hide extensions of known file types", which I always and routinely switch off on every computer I use. It doesn't help if the user doesn't know which extensions to avoid (or even what the extension was there for in the first place, but that's another whole class of problems waiting to happen), but hiding the extension certainly does make things any better.
Making it the installed default doesn't help either.
It doesn't offend me as much when people are intentionally stupid, but when they are given a helping hand in being stupid I get annoyed.
Why was an .exe allowed to go through the mail system in the first place?
It always bugs me that these scams are so shoddily finished off. The idea is sound: use the advertised job appication to find a legitimate way to send someone an attachment, but why is the covering email a) so generic and b) so poorly written? There must be countless sample covering letters available on tinterweb, just leaving the need to autofill the relevant job position and making up a name.
It strikes me as the equivalent of going to the trouble of obtaining genuine bank note paper with all the security features, and then painting on the design by hand.
"While its disguised with a word icon, the file name is still clearly, MyResume.exe"
Indeed, but since Windows 95 "hide file extensions for known file types" is turned on by default. Maybe other OS's do this too, I personally can't stand it but obviously the masses aren't deemed capable of discerning between different types of files.
ah.. forgot about that, since as someone else mentioned it's one of the first things I instinctively change whenever I use a new windows system.
Clearly alot of people on old email software that doesn't warn when opening executable attachements.. or equally likely they just clicked through the warning
Typical Windows User...
Why would accountin be using the same computer as HR?